Authentication needed when chat bot conversing with user

Question

This got stuck in my head from many days, can anyone help or say at-least this is not at all possible?

I'm working on developing a chat bot using dialogflow which integrates multiple applications along with google home assistant, dialogflow, actions on google and an application which i want to manage using chat or voice commands. Until now its good and got amazed of features providing by google.

But i'm expecting one more feature. Don't know whether any alternatives available for this or not, but i tried exploring and reached to desert. Below are my requirements, if others think this is really unique and useful to them as well then i can say they are improvements or add-ons i'm expecting from DialogFlow.

Let's take an example of a chat bot which is serving users through google assistant and as a web bot as well. Now while conversing, intents may trigger web-hook in fulfillments which may require an authentication like OTP(Nope if anyone thought it for payments) which means registered users or limited users only can perform actions. This is same as we use roles and groups in all the applications.

The way google is sending google prompt to the user for logging into gmail, is there any way that we can collect PIN or OTP or PASSWORD through some notification sent to the users phone as some card's or input box like and html while conversing with chatbot through web or home assistant etc..., so that it helps in adding more security.

Answer 1

I recently worked in a chatbot project where I had to authenticate my users. I'm writing an article about it, but I'll tell you what I did:

First of all, I'm using OAuth 2.0 protocol to authenticate my users, but if you doesn't use OAuth, there's no problem, you could do something equivalent.

I'm using Authorization Code Grand flow.

Let's see the steps:

• Step 1 - Authorization Url: My bot generates an authorization url which contains all needed data to identify the conversation in callback moment. Like this one:

  https://authorization-server.com/oauth/authorize ?client_id={your-client} &response_type=code &state={conversation_id: 123456789} &redirect_uri={your-callback-url}

Notice that the state parameter contains the conversation_id which identifies your conversation, this state parameter will be back when users return to your handler.

• Step 2 - User Authentication When users click in this link, they'll be redirected to your login page at your authorization server.

• Step 3 - Callback After users get authenticated, they'll be redirect back to your handler (an endpoint which will receive the authorization code from authentication server and the state parameter). When it received this authorization code, it'll be exchanged by an access token in authorization server.

• Step 4 - Store token In the final step, you already has an access token and the conversation_id parameter, you can store it in a database, in a cache or be stateless. Your rules!

In my case, I'm using Watson Assistant with Cloudant database, and I store those access tokens in my database. So, when users request something to my bot, it could get this token from database and pass to my back-end servers.

This kind of approach, I call "magic link". And you could improve it by shortening the url as bit.ly does.

I hope it could help you, feel free to ask me if you need.

Best

Answer 2

You probably don't want to implement the OTP scheme yourself. While you could do this, there are other systems already in place that will do this for you.

The best is the one that you reference - Google Sign In.

Fortunately, you can leverage Google Sign In for both your website (where you would get the user to sign in and then pass this information along as you do the Dialogflow calls) and for the Assistant (where Google will pass along an ID token, indicating it has authenticated the user).